When antivirus software is installed and activated, there is usually an assumption that the system is automatically safer. Antivirus software can be penetrated just like any other software can, however, as a 2019 data breach at Japanese electronics giant Mitsubishi Electric demonstrates.
Mitsubishi Electric did not disclose what software they were using or exactly what the nature of the data breach was; it took over six months to even admit that there was a breach. However, the company did reveal that it likely lost trade secrets and the personal data of employees.
The June 2019 Mitsubishi Electric data breach
Mitsubishi Electric revealed that the hackers exploited a zero-day vulnerability in the company’s antivirus software. The unnamed supplier has apparently since patched the vulnerability.
The breach took place in late June 2019, but was not revealed to the public until just a few days ago. Current Japanese data privacy law does not require companies in the country to report data breaches either to the government or to the victims, but it is considered customary and standard practice to do so.
Confidential information that was stolen by the hackers includes technical and sales materials. Corporate and government clients that may have been impacted include the Ministry of Defense and the Nuclear Regulatory Commission. The hackers also had access to the personal data of over 8,000 employees: this group was made up of job applicants, prospects recruited from universities, and people who had retired from the company. The hack appears to have given the attackers access to about 40 servers and 120 computers, some of those remote terminals located outside of the country. A total of about 200 MB of files were stolen.
The data breach also appears to have been a case of vendor compromise; apparently an unnamed affiliated company in China was first hacked, with the attackers using hijacked accounts acquired there to gain greater access.
Mitsubishi Electric revealed that the hackers had deleted log files as part of the attack, but otherwise did not have an answer as to why it took so long to detect and report the data breach.
The antivirus software vulnerability
It would be helpful to the general public to know what antivirus software Mitsubishi Electric was using, so that other companies could determine if they had a vulnerability window of their own at the time.
The most recent information available indicates that Mitsubishi Electric was using Trend Micro security software in 2015, but there is nothing available to verify that continues to be the current arrangement.
Who hacked Mitsubishi Electric?
The Japanese newspaper Asahi Shimbun is reporting that Mitsubishi Electric may have been struck by the Chinese cyber espionage group APT40, also commonly called “Tick” or “Bronze Butler.”
APT40 has been active since 2008. The group has spent most of its time focusing on Japanese industrial targets, most commonly using spear phishing to penetrate systems and steal sensitive data.
The hacking group has a particular focus on targets that can provide material to help China bolster its naval power, and on influencing elections in Southeast Asian nations that could help the country’s Belt and Road Initiative.
APT40 tends to try to infiltrate systems quietly and remain for long periods of time, setting hacked systems up to be re-infected with malware if the intrusion is detected.
The risk of attacks through security software
While a vulnerability of this nature in trusted antivirus software is unusual, it is not unheard of.
As Elad Shapira, Head of Research at Panorays, observed:
“The data breach at Mitsubishi Electric through its antivirus software effectively demonstrates that no company is immune to cyberattacks—even those that focus on security. Cyberattacks through anti-virus companies are nothing new. In 2012, it was discovered that hackers had breached the Symantec network six years earlier, and in 2015, Kaspersky and Bitdefender suffered cyberattacks. Moreover, in April, hackers attacked three top US antivirus companies. Such attacks are particularly damaging because security software can access the entire company; therefore, it’s like stealing the keys from the keymaster. As ironic as it might sound, the only possible way that Mitsubishi Electric’s cyber incident might have been prevented is by thoroughly assessing and continuously monitoring the cyber posture of the antivirus company. Lesson learned? Every organization is vulnerable.”
How does an organization account for the possibility of an attack through the software designed to secure the internal network? The answer is in a solid holistic risk mitigation plan. Each piece of security software needs to be evaluated in the same manner in which all other software is, and redundancy and recovery measures need to be in place.
Though zero-day attacks on antivirus programs do happen on occasion, they are not frequent enough to be considered a “trend” and never really have been. While the antivirus software is a tempting target due to its system permissions and privileges, it is also usually one of the most hardened ones. Hackers have much lower-hanging fruit to focus on that provides very useful levels of access: Flash, Java, email clients, browsers, code libraries, APIs and more.
Antivirus software is only a hard target if it is current and updated, however. There are known exploits for older, outdated versions of a number of major antivirus programs. Security software should not only be up to date, but purchased from a vendor known for keeping on top of and patching potential issues.
Data breach risk mitigation also includes recovery components such as insurance, backups, personnel readiness and scrubbing of systems.
“As of 2020, essentially every business is a software business in some way, shape, or form. As such, software is critical infrastructure. It is an attractive target for attackers and many organisations have valuable information that must be protected. Software also serves as the foundation for other critical infrastructure, such as utilities, transportation, and healthcare. In these cases the stakes are even higher. Using a structured approach to minimising risk means less danger for the organisation and its customers.
“Cybersecurity cannot be effectively managed with a one-time effort, but must be woven into the fabric of each organisation. A comprehensive security initiative includes three related efforts. First, organisations must control the supply chain of acquired software. Every piece of software presents some risk that must be evaluated and managed. Second, the security of software produced by the organisation must be managed using a secure development life cycle. Finally, an incident response plan ensures that the organisation can minimise damage when cyber attacks happen.”